Hi
I'm reviewing the way client authentication is expected to be done when
either SAML or JWT bearer assertion is used as a grant [1] which
corresponds to the case described in [2].
[1] says: "Authentication of the client is optional...".
Can someone please clarify how it can be optional given that in this
case a subject of the assertion does not identify a client ? Is it about
supporting unregistered clients which have managed to obtain somehow the
assertion grants ?
Thanks, Sergey
[1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-4.1
[2] http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
